It has been pointed out that SBS 2011 Essentials does not have the familiar wizards to create VPN access to the server. Though a better and MUCH more secure option is to make use of Remote Web Access, or add a VPN capable router that supports an IPSec client, on occasion there are reasons to still make use of the native Windows VPN feature. Where SBS has traditionally supported the PPTP protocol for its VPN, this article will address creating similar service.

Add the RRAS Role:

The first step is to add the RRAS (Routing and Remote Access) role. To do so open the Server Manager under Administrative Tools, click on roles, scroll down to the Network Policy And Access Service role, and choose Add Role Services.

In the resulting window add the RRAS services.

Click Next, and Install.

Configure RRAS:

Open the newly created RRAS console, under Administrative Tools, and then right click on the server name and choose Configure and Enable Routing and Remote Access. Select Next, and then choose Custom Configuration, and Next.

Select VPN Access and LAN Routing in the next window.

Choose Next, Finish, accept the notification that a default Network Policy Server policy has been created, confirm to start the service (RRAS), and wait for it to complete.

SBS Essentials is not the DHCP server for the network in a default configuration. Though you may be able to configure a DHCP relay it is simplest to create a static address pool for VPN clients from which they can obtain an IP address. To do so in the RRAS console right click on the server name and choose properties. Under the IPv4 tab select Static Address Pool, Add, and then enter a range of IP’s to be assigned to the VPN clients. Make sure you have enough to support the total number of simultaneous VPN clients you will have. This range needs to be part of the same subnet as the server itself, and the IP’s selected cannot overlap with any existing DHCP scopes or statically assigned devices on the network.

You also need to verify the number of available PPTP ports is sufficient to support the maximum number of simultaneous VPN connections. The default with SBS Essentials is 50, which should be more than enough. However if you wish to make adjustments it can be set from 1 and 128. You can also reduce the number of ports for other protocols not in use if you like, though there is no need. To configure right click on Ports in the RRAS console below the server name, and choose properties. To make changes highlight the port type and click Configure:

Add a Group:

Next we will create a group for VPN users. Only members of this group will be granted access to the server using the VPN connection. Open Active Directory Users and Computers, expand your domain, right click on Users and choose New, then Group.

Enter a name for your group such as “VPN Users” and select Global & Security. Click OK.

You can now double click on the newly created group and add members by adding individual users or existing groups. For example you might want to add the Domain Users group, if you want to allow all users access. You can manually type these in and click Check Names, or choose Advanced and Find to browse and locate users and groups.

Configure NPS:

The final server configuration is to add a policy to define who has access to the server using the VPN. In server 2003 and earlier, if RADIUS was not configured, the common way of allowing access was to simply select “Allow Access” in each user’s profile. This still works, but it is better to make use of NPS and have polices defining protocols, user, hours of access, and more, so I suggest leaving this set as Control Access through NPS Network Policy”.

Again under Administrative Tools, open the Network Policy server console, expand Policies, and click on Connection Request Policies. You will note to the right, configuring Radius has already created the default Microsoft Routing and Remote Access Service Policy.

We will add a new Network Policy. Right click on Network Policies and choose New, enter a policy name such as “ VPN User Access”, select Remote Access Server (VPN Dial-up), and Next

In the Specify Conditions window scroll down to find the User Groups option, click Add, Add Groups, enter the name of the group you created earlier (VPN Users), and OK.

In the next two windows you can accept defaults;

Under Configure Constraints choose NAS port type, then under Configure Dial-up and VPN tunnel types select Virtual (VPN), which will automatically check the same under Other.

Accept defaults under Configure Settings, click Next and Finnish.

Though you can add many restrictions within the policy, I recommend configuring with the SBS standards as above and thoroughly testing your VPN before tightening security. You can also create multiple policies with different restrictions for different groups if needed.

Windows Firewall:

The above configuration should have automatically configured the necessary Firewall Exceptions for RRAS, but to verify compare to the following.

In the Windows Firewall console:

In the Windows Firewall with advanced Security console (Note: The L2TP-In policy was created, but is not necessary for our configuration.):

Router Configuration:

You will also have to manually configure your router to forward the PPTP protocol and enable GRE pass-through. In an ideal world if UPnP is enabled on the router (which I don’t recommend) the SBS will configure port forwarding for port 1723, but it will not address GRE. Configuring a router to forward VPN traffic is done in a multitude of different ways depending on the router used. Most of the inexpensive SOHO routers are configured by forwarding port 1723 to the IP address of the SBS, and under the firewall section select “allow PPTP pass-through”. Some others allow you to forward the PPTP service rather than the port, which both forwards port 1723 and enables GRE pass-through. Still others have different methods or require manual commands. Keep in mind GRE is a protocol (protocol 47) and not port 47 so it cannot be configured with a forwarding rule. You can test if port forwarding is properly configured by entering 1723 in the “port” box at http://www.canyouseeme.org/ however this will not test for GRE pass-through. If the VPN connection fails with a 721 or 806 error, it usually indicates GRE is blocked. Keep in mind GRE and/or PPTP can be blocked by third party security software on your server, or an ISP that does not support the protocol.

While on the subject of routers, it was mentioned above when creating the static address pool in RRAS that; “the IP’s selected cannot overlap with any existing DHCP scopes or statically assigned devices on the network”. I strongly recommend verifying that the router’s DHCP address range available to clients does not conflict with that of the static address pool. If your router supports exclusions, add the RRAS static address range, or in the example above we used 192.168.22.200-219 for the static address pool, so set the router’s DHCP range to something like 192.168.22.100-199. Again make sure neither conflict with any devices that may have a static address such as a printer.

A note about routing: An important fact to note that is that when traffic is sent from one network segment to another, as is done with a VPN, that all segments in the path between the client and host must use a different network ID (Subnet) for routing to take place. For example, if the remote client and server sites both were to use 192.168.0.X locally, the VPN will connect, but you cannot access resources. This is important to be aware of since SBS Essentials defaults to having the router determine the subnet, and if the default router settings are used, it is common to have them overlap with the client site. It is always best to use uncommon subnets for the corporate site. Therefore avoid the common/default subnets listed below and use something like 192.168.123.x when setting up the SBS site.

Avoid the following subnets as they are common router or user defaults with the first two being extremely common: 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x, 192.168.111.x, 10.0.0.x, 10.0.1.x, 10.1.1.x, 10.10.10.x, 172.16.1.x

Client Configuration:

Creating client access is very straight forward. Open the Network and Sharing Center in control panel, and click on Connect to a workplace, and Next.

Choose No, create a new connection, and in the next window select Use my Internet connection (VPN). In the resulting window enter the public IP or the FQDN of your SBS site, and a ‘friendly’ name for the connection. Select allow other people to use this connection, and/or don’t connect now, if you wish.

In the final window enter a user name (member of your VPN User Group) and password. I do not recommend choosing the save password option, for security reasons. Then click connect. If all is in place you should now be able to connect to the server and other resources on the network. You may wish to test by Pinging the server IP.

Name Resolution:

You will likely not be able to access resources using either their NetBIOS or DNS name. At this point you are best to connect using the IP address such as \\192.168.123.123\ShareName. If you wish to use DNS names you need to configure the VPN (Virtual NIC) under adapter settings to point to the SBS for DNS, and add the DNS suffix. For more details see: VPN client name resolution

Connection Manager:

With SBS 2003 there was an option to create a deployable VPN client named “Connection Manager”. This was a fully configured client that did allow you access to the server using DNS names, and was very easy for clients to install on their remote computer. This is not longer available but if interested you can create your own installation package, with connection and DNS options pre-configured, using CMAK (Connection Manager Administration Kit). For details see: http://technet.microsoft.com/en-us/library/cc753977(WS.10).aspx

Updated Jan 31/2011:

After the first client has connected by VPN, check the DNS management console and see if the VPN’s virtual adapter IP has been added under Interfaces. If so you need to uncheck it, or client machines will receive this as their DNS server IP. You can find the VPN IP by running IPconfig and look next to the PPP adapter.

Thanks Rob!! I fought with this for 2 1/2 days on my own and never got it working. You’re a life saver! I did have one little comment though on the instructions and a difference I saw. At least in my case, it did NOT start the service for me automatically after going through the RRAS configuration. After the config finished I had to right-click on the RRAS item in Server Manager, click All Tasks and Start.

Interesting Cory, I have never seen RRAS not auto-start. If that is the case make sure it is set to automatically start in the services console. With server 2008 and newer it is usually “Automatic (Delayed Start)”. That should have also been automatically configured

Yes, it did properly configure it for Automatic startup for after a reboot, it just did not start it automatically after the config wizard was finished. Not a big deal, and maybe it’s a fluke in my instance. I just wanted to mention it in case someone else read this procedure and ran into the same thing, they know they may need to do that one little extra step.

Just got around to trying this. The server seems to be correctly configured. Also, I was able to find in my DSL router the configuration for GRE forwarding. However when connecting with my cilent PC from a remote network, I am getting stuck were it says “verifying user name and password”. From this it seems there is an intitial connection established but it can’t verify the user. I have tried two different users (one is the server admin). Both were added to the VPN Users security group. Do you have any ideas how I can troubleshoot this problem?

David, yes the initial connection is made using PPTP, GRE is required for the second phase and if blocked, the result is often it will hang on “Verifying username and password”. To verify if it is a GRE issue, try connecting to the LAN IP of the server from the local network. If that successful you know it is a case of GRE being blocked somewhere between client and server. It can be the server site router (most often), client router, ISP, or 3rd party security software.

I have been looking for concise instructions for doing this–thank you! I would like to try this, however; I have some questions first. I have already configured SBS2011e to be the DHCP server, and I would like to add a RADIUS server as well for wireless security. I assume that for the former I would just select DHCP instead of static address pool for assigning remote IP addresses. However, how would the incorporation of a RADIUS server impact your instructions? I think you have already added one based on your screenshots, do you have instructions on doing the same?

A RADIUS/Wireless blog would be a good topic but I am afraid I have not written one as of yet, and is not really relevant to this article. As for using the DHCP relay, a relay is most often used for obtaining DHCP addressing from a different subnet (different network segment). Where this configuration uses the same subnet for LAN and VPN clients, you are probably best to stay with the configuration as described. Just to express my thoughts on wireless networks: I am not a fan of wireless networks, due to both performance and security. None of my clients have wireless networks for business use, but many do have a wireless guest network isolated from the business network. If users insist on using wireless for business use, they can connect to the business guest network and then VPN to the corporate LAN, the same as they would on any public network, but with improved performance over a WAN connection. To reiterate my original blog statement, keep in mind other services such as RWW/RWA, OWA, rpc/http provide better security and performance than a VPN, though they still have have some uses in a network design.

Thanks Rob! this one really saved my bacon. After spending days getting Remote web access to work and the end users finding it lacking. I was looking at a 3rd party box to run VPN at added expense. This really helped.

I have the VPN set up and functioning from many client locations on windows 7 machines based on this post. Thanks for the great walkthrough!

I am having problems getting an XP client to connect to the VPN (error 619, 721, and once even 800 with various tinkering that I tried on the XP client). I believe I actually recieved 619 once, then ran the exact same configuration and recieved 721. The initial connection forms without any problems, the “verifying user name and password” box comes up and sits for a while before these errors occur. I ran the VPN connection from a Win7 laptop at the same location and it connected properly. I can only conclude that my XP client is not configured properly but I can’t figure out what to change.

The first thing I would check is the Authentication Protocol on the XP client. In the network connections window, check the properties of the virtual/PPP adapter. Under the security tab, “allow these protocols”, make sure Microsoft Chap ver 2 is checked. By default XP and server 2003 used MS Chap (ver 1).

Having said that, a 721 and often a 619 error indicate GRE is blocked somewhere between client and server. Since other clients are working a GRE problem would be at the client end, not the server site. Local routers, and security software can often block GRE.

Keep in mind as well, if you are connecting multiple clients from one site, all routers have a limit from as to how many VPN software clients they will support. This ranges from 1 to 10. If connecting multiple clients from the same site a hardware site-to-site VPN solution is a much better option.

My other client computer is working at the same location as the Xp machine and i tried running the XP client with firewall/antivirus software unloaded. does that not indicate that GRE is passing through? Also, I have already checked and the XP VPN properties had CHAP-2 already allowed by default for some reason.

I did not try to run both client computers over the VPN simutaneouly so the router limits should not apply but may be a problem in the future as I was planning on running 3 computers from the remote location.

Any other ideas on the xp setup problems. I’m totally stumped and tired of searching the web for solutions so I thought I’d ask you since this article was what got my VPN running in the 1st place.

I have followed this guide to the T and I am able to successfully access local network shares through my VPN. However, when I have my VPN connection enabled I lose internet access on the client machine. Running SBS 2011 Essentials and client machine is Windows 7 Pro.

That works perfectly. With “Use default gateway” checked, I can use the computer name to access network shares but not access internet, but with that unchecked I can access internet but I have to use ip addresses to access network shares. Would setting the DNS of the client’s VPN or LAN connection to the WAN server ip fix that minor issue?

WAN IP will definitely not work. You want to use the LAN IP of your DNS server, and not the server’s VPN/virtual IP. I am assuming as per the article you have SBSe which is a DNS server. Did you also add the DNS suffix? This again is the internal DNS suffix, not the public suffix. By adding the DNS suffix when you try to access Server1 it adds the suffix making it Server1.InternalDomain.lcoal.

If still having problems, on the connecting client (Win7), go to control panel | network and internet | network connections | on the menu bar – advanced | advanced settings | adapters and bindings | under connections move the VPN adapter or Remote Connections to the top of the priority list.

Steps followed, still only able to access network shares using ip addresses. It’s not a huge issue that I have to resort to using ip addresses, but I’d like to figure out why I can’t make this work.

Perhaps one of the issues I’m facing is the fact that I’m trying to set up the server as a dual-nic internet router, which sbs 2011 is not truly designed to do. I will revisit this issue after a few days when I start installing a few test machines on the LAN ahead of the switch over.

SBS standard and essentials, 2008 and 2011, DO NOT support multiple NIC’s. Doing so will cause DNS issues, and can break other network functions such as DHCP and the SBS wizards, in addition to losing Microsoft support if you have issues.

Is PPTP secure?
That is a good question. PPTP is actually the method used to establish the connection which has not really changed in many years, however the encryption and authentication methods used, or rather enforced, in conjunction with PPTP have improved substantially. You can create an L2TP/IPSec VPN with a Windows server, or with server 2008 and newer an SSTP VPN both of which are a little more secure but the process is much more involved.

If you really need a VPN, it is my opinion you are far better off to buy a proper IPSec VPN appliance (router), my preference being the Cisco ASA 5505 series. A proper IPSec VPN has better encryption but it also allows; using certificates to avoid man-in-the-middle attacks, a much more secure client over which the admin has better control of as well as its deployment, rather than the user, it moves authentication to the perimeter of the network, and it usually performs a little better because the encryption/decryption is on a dedicated device.

PPTP is the built-in VPN of choice with all Windows SBS versions. Each SBS version prior to SBS 2011 Essentials had a wizard to install it and a VPN comes pre-enabled on Server 2012 Essentials (SBS’s replacement). It is easy to set up, relatively secure, and easy for end users to use. However, I mentioned; “If you really need a VPN”. Encryption is not the primary security concern with a VPN. Once the connection is established there is a wide open tunnel between the corporate network and a remote computer and network, over which you have absolutely no control. You have no idea on what computer the user has installed the client, if they have security updates installed, if they have anti-virus software installed (many viruses spread over network connections with file sharing enabled), or if they have enabled split tunneling (un-checked use remote default gateway) which could allow an attack from a neighbouring computer making use of the VPN tunnel, such as Johnny playing video games in the bedroom.

SBS Essentials has the luxury of offering SSL Remote Web Access to LAN PC’s and servers which can be used for file copying files as well if necessary, and also Web based access to shared folders. SBS Standard, or if you subscribe to Office 365 also offers remote access to Sharepoint, and Outlook using Outlook Web Access or rpc/http. By enforcing these options rather than a VPN you can also allow access to read, edit, and crate files using RWA or a Terminal Server but disable the ability to copy files to a local PC, protecting the theft of critical corporate data. Therefore you need to ask; “do you really need a VPN”?

I am afraid not, at least not with native SBS Essentials server features. The only option would be to force the user to only have access to the Internet via the VPN (using the “use remote default gateway” option, which of course they could change), and then add a proxy server at the corporate site which can limit and monitor internet access.

This has got to be one of THE best written-up help pages for configuring an SBS VPN. You deserve MANY kudos!

One thing I’ve been wrestling with is trying to access OTHER servers on the LAN, from any VPN Client PC. I can PING the other servers, including a copy machine, but when I try to use any services, such as SMB or HTTP, it’s blocked.

Since I can PING them, I know I’m good with routing, but the blocking implies filters or some stupid firewall in the middle. In my case, I had the windows firewall off and Symantec Endpoint protection on, and I’m afraid that’s doing it, although there is nothing there that I can find. Same goes for any inbound or outbound filters set in RRAS. I’m curious if you’ve seen this before. Turns out I have another client with a similar set up and they have exactly the same issue – I can ping, but I cannot access ports 80, 443, 139, etc. on any internal device, just those ports local to the SBS/VPN server.

Since I’ve asked it here, I am hoping someone else has seen this too. In the meantime, I’m removing SEP from one of the servers to see if that will resolve it.

Most often when you can connect to the RRAS server but not access any other device on the LAN it is due to the client and server sites using the same subnet, and therefore routing cannot take place. Since you can ping, that rules out routing as you said.

The next most common problem is software firewalls on the PC’s or server to which you are trying to connect. By default pings (ICMP requests) are usually allowed from any IP. Also services, such as remote desktop, when enabled, automatically generate a firewall exception allowing connections, however, usually only from the local subnet. To allow remote connections you may have to edit the firewall policy’s scope options manually to allow ‘any’ computer, or add the remote subnet. If controlled by group policy (probably not with SBS Essentials) you can follow Pete Long’s excellent explanation. http://www.petenetlive.com/KB/Article/0000193.htm

SEP and other 3rd party firewalls most often work in the same way, restricting access to domain, LAN, or subnet.

I’m trying to set this up right now, great guide, and I appreciate you taking the time. Only problem I am having is when it comes to setting conditions, I don’t have the ability to add a user group, I have location group, or individual user, and neither brings up the dialog to choose existing users/groups, just type in a user name that doesn’t get checked/underlined. Any ideas?

Christopher you can avoid the policy altogether if you want to manually check “allow access” under the user’s profile in active directory on the dial-up tab, if you want a work around. However, it might be best to send me an e-mail (there’s an address on the LAN-Tech link at the top), rather than back and forth here. We can post the end result for those that follow. To confirm though, it is SBS 2011 Essentials? and, you created a new Network policy and under conditions clicked add?

Thanks for the article. Before I try it out can I ask you if it’s suitable for our situation? We have a main office in city A, and a second office in city B (with one staff member, it’s a new branch). Basically trying to set things up so the staff in office B can access our server in office A. I’ve tried Hamachi but it seems to be messing with our server (emails sluggish, one user lost internet access, one of the scanners not emails scans to people etc.) So trying to find an alternate solution. Does windows VPN mess with the DHCP too? We are using SBS 2011. Thanks

Hi tahnabee.
The Windows VPNs will work fine for a worker in the remote office. However, it may not work for multiple workers at the same site. It is really intended for mobile workers, all of which would connect from different sites. If you have multiple workers connecting from the same site two problems can occur; a drop in communications due to the fact that the server sees the connections coming from the same public IP, or an issue with the router at the connecting site. Most routers have a limit as to how many outgoing PPTP VPN connections they will support. Many are limited to 1. This is a limit on the connecting client’s site’s router, not the server’s site. If you have multiple workers at a given site wanting to connect to the SBS, you are best to install a VPN capable router at each site and create a static site-to-site VPN rather than using a client. This is also more stable and make s the connection seamless to the users.

You mention you are running SBS 2011. With SBS you cannot introduce a second network adapter, physical, virtual, or VPN. Adding Hamachi adds a virtual/VPN adapter which can affect DHCP and more. It can be very problematic, so I would avoid it in this situation, though Hamachi is a good product. The Windows VOPN will not cause that problem.

Please note, these instructions are for SBS 2011 Essentials not SBS 2011 Standard. If running standard, please use the VPN wizard located in the SBS control panel under network / connectivity.

1 will work fine, 2 or 3 may, it’s worth a try, but if the second connection causes the first to drop you know why. Site to site VPN’s are the better choice as they offer better security, better performance, and easier to manage. These days you can buy a VPN router starting at $150 (US/Cdn.), though you need 2.

Do you really need a VPN? SBS offers Sharepoint, Outlook with rpc/http, remote web workplace with shared folders, and more such that VPN’s are seldom needed. May I ask why you need a VPN?

We need VPN because we use Autodesk Revit to document buildings, and Revit basically allows multiple people to collaborate on one file simultaneously. http://images.autodesk.com/apac_grtrchina_main/files/aec_customer_story_en_v20.pdf
We obviously have jobs in city A and city B, but sometimes we get the staff from city A to help city B and vice versa. Revit central files only work when they’re stored on a server, so we are keeping everything on our server in city A. Hope that makes sense. I do have a spare computer in city A that the staff member can remote into, but sometimes we need to use that computer and ideally they would work and collaborate straight on their own computer in city B. Again, learning as I go 🙂
Here is a good discussion on what we want to do:http://feedback.autodesk.com/cloudservices/topics/cloud_and_revit_central_file

Dropbox isn’t perfect because for things to run smoothly and our office of 30 people to not get confused, we really need to keep the Revit central files in their relative project folders on the server. Central files are tricky, if you just copy them to another location it doesn’t move the central file, it creates a local file. Though people seem to say dropbox does work for some reason…

Anyway I might look into the site to site VPN. Fingers crossed the Autodesk Cloud service one day allows us to use central files!

Thanks for the details tahnabe. This, in theory, a good application for a VPN, and agreed the other options I suggested, except for Remote Web Access to a PC, are of little use.

I had asked as VPN’s have 2 primary weaknesses. 1) Security: a wide open tunnel between a remote computer over which you have no control, and 2) Performance. The former is not relevant as it is a corporate computer on a controlled site. I had asked about why you need a VPN being concerned performance may be an issue.

Performance is a big issue here. VPN’s will not work at all with database files such as Access, or many accounting applications like Quickbooks, and Simply Accounting. The VPN is too slow and the applications are too chatty resulting in very poor performance, often complete failure, and possible data corruption. I am not familiar with Autodesk Revit, but I am with AutoCAD, and I did a little reading about Revit. Both are very graphic intensive, and use large files which again, due to the slow network performance, will probably make it unusable. Most offices today use Gigabit, if not at least 100 mbps. VPN’s tend to be at best about 3 mbps, keeping in mind ths is a bi-directional connection making the upload speed the limiting factor. I couldn’t find network requirements for Revit, but some on-line posts suggest you need 30 mbps or better between the offices. If you have a fibre connection, you may have that speed. The Autodesk site does make many references to using Citrix which is a 3rd party application similar to remote desktop, but has slightly better performance. This would by far outperform a VPN, but even with it they mention “functionality will vary depending on network performance”. Remote Desktop, to a PC or Terminal Server (now called a Remote Desktop Server –RDS server) is ideal from the point of keeping files in a central location, security by retaining all data on-site, and performance. However remote desktop’s weakest feature is graphics. Thus it has never been great for anything using large graphic files, or even worse with streaming media. Having said that with the proper hardware and recent server operating systems you can run RemoteFX, which is Remote Desktop on steroids. It works great with graphics and even streaming media.

In summary, there is no question using RemoteFX to connect to a RemoteFX capable server or virtual PC at the main office would be the best solution for you, but I have to appreciate we are all limited by budgets. Your best bet is to test the VPN. Using the Windows VPN is easy to set up, and there is no cost to doing so, other than a little time on your part. It will certainly work, but the question is the performance. If it does work OK you can then move forward and try a second user, and should a site-to-site VPN be necessary, then you know the investment is worthwhile. Should it not work at all, I would at least test connecting to an office PC using Remote Web Workplace (Remote Desktop) to again test the performance with that method.

Thank you so much for you help Rob, really appreciate it. You’re right performance is a big issue, there’s no point having the VPN if it takes an hour for Revit locals to sync to the central. We are currently waiting for fiber to be rolled out everywhere, things will be so much easier when we get that!
Because we only have 1 person at the moment in office B it’s not worth spending money until the business expands.
I will try the sbs vpn this coming week, will keep you updated on the journey 🙂

Hey Rob,
Just thought I’d give you a quick update, we have one computer working well in office B with sbs vpn so that’s good (apart from the slowness obviously). I couldn’t get the second computer working as well though I may have just been entering in the details wrong I think. Anyway so far so good.

I had setup VPN according to your instructions around an year ago, everything worked perfectly, where I connected with windows 7, windows 8 and macbook clients. Thank you for writing such a detailed VPN setup. It is very informative, and the screen captures made it extremely easy to follow.

Recently though, I have also successfully setup VPN on an Android (Ver 4.3, Samsung Galaxy Note 10.1). However once I am connected to VPN I can no longer access Internet, where applications such as internet browsers, emails, app store will fail.

I think it relates to the Windows Server overwriting the DNS of the client during the VPN connection. In one of your comments you’ve asked people to uncheck “Use default gateway on remote network” on Windows, but I cannot find similar settings on the Android device.

Any idea on how I can solve this?

If at all possible, I would prefer a solution where I can configure PPTP settings on the client side or server side. Otherwise, I read somewhere that IPSec Xauth PSK seems to work, but I already have some IPSec settings on the router, and also read somewhere about SBS not having that capability.

Here are more information about my IPSec setup. I currently have a Billion 7800VDOX router, with IPSec setup which is peering with another Billion 7800VDOX router. One of them have PPTP passthrough to a Windows SBS 2011 essential server, setup exactly as you have described.

Any help will be appreciated, and would like to thank you once again for the detailed walkthrough.

I am assuming when you say you can no longer connect to the Internet once the VPN is connected, you mean just on the Android device. If you are referring to all PC’s that is a different issue, please let me know.

All VPN’s, PPTP, IPsec, L2TP, will block all local access once connected, including the Internet through your local gateway or service provider. This is a security feature to protect the corporate network from a local hacker while you are connected. It can usually be unblocked by enabling “split tunneling” which allows VPN and local access simultaneously. This is done in a variety of different ways depending on the type of VPN. On some set ups it is enabled by default. Some you can control on the client end, such as the Windows VPN client with “use remote default gateway”, and some you control on the VPN server end such as with a Cisco router. Unfortunately I am not familiar with the Android VPN app. If there is no similar feature available you might try looking for another VPN client that offers additional configuration options.

As for setting up an IPsec VPN, that is beyond the scope of this article. It is quite a bit more complex. When doing so it is also best to use a VPN router rather than a Windows Server, and in many cases you have to be able to obtain a matching or suitable IPsec VPN client. Generic will not always work.